Posts

Showing posts from 2017

JSFuck is a bad security barrier.

TL;DR JSFuck can be reversed with fair ease by pattern matching (or simply string matching). Check out the code section for the actual code.
You can jump to the solution section if you don't want the background details. Why in my sane mind would I do this? I was recently analysing some of JS obfuscation strategy used by the websites. The popular ones were minification, uglification, loading JS from encoded strings, etc. Mostly they were deployed to hide the APIs from being exploited outside of the sites. But upon careful inspection, almost all of the JS obfuscation gave away their APIs and the extracted knowledge could be used to write wrappers for those in any language of choice (although, using JS had the advantage to use their codes directly). Then I hit upon another strategy which made this task seemingly impossible. JSFuck.

All the APIs required some form of keys to be sent with each request which was verified on the server side. These keys were generated by some form of hash…